IIS return 302 instead of 401

Question

Hi guys i m having a problem with CustomErrors in web.config, i'm trying to show a custom page for the error 401, but when a user try to access the controller and haven't authorization.

In this case the return is 302 but must be 401, i tried to use the Application_EndRequest() in Global.asax to change the Response.Status Code :

void Application_EndRequest(object sender, EventArgs e)
{
    if (Context.Response.StatusCode == 302)
    {
        Context.Response.Clear();
        Context.Response.StatusCode = 401;
    }
}

with this the error returned is the 401 but the page of custom errors is not displayed, just a default message of IIS

Unauthorized: Access is denied due to invalid credentials

how can i make the custom errors show the right page for 401 error ?

Answer 1

I found the solution for my problem here

Using a custom authorization attribute for redirect to the "AccessDenied" page

Answer 2

If you are using Forms Authentication, then 401 is handled internally by ASP.NET and used in the Challenge/Response mechanism for authentication. When you use authentication, you specify a login page, and when a user is not authorized, they are redirect to that page to log in.

There is a difference between a 401, which unauthorized and 403, which is Forbidden.

If you're using Windows Authentication, Digest, or Basic then you will get a 401 Challenge popup. ASP.NET intercepts 401 so that you don't get popups, and can instead deal with authentication errors in forms.

Answer 3

Take a look at the solution for custom errors in MVC answered on another question within stackoverflow at https://stackoverflow.com/a/620559/686674

You want to override Application_Error rather than Application_EndRequest.